Oregon Bulletin

September 1, 2011


Oregon Health Authority
Chapter 943

Rule Caption: Authority control process for organizations and users seeking or receiving access to Authority information assets.

Adm. Order No.: OHA 16-2011(Temp)

Filed with Sec. of State: 8-9-2011

Certified to be Effective: 8-9-11 thru 2-2-12

Notice Publication Date:

Rules Adopted: 943-014-0300, 943-014-0305, 943-014-0310, 943-014-0315, 943-014-0320

Subject: These rules apply to anyone who seeks access to the Oregon Health Authority’s (Authority) information assets, systems, and networks. It establishes access controls for all organizations and users and requires organizations to establish a risk management plan addressing common safeguards and HIPAA compliance. These rules allow for audits of organizations handling Authority information assets, address privilege changes, and establish requirements for reporting incidents and resolutions.

Rules Coordinator: Suzanne Hoffman—(503) 881-6897



These rules (OAR 943-014-0300 through 943-014-0320) apply to an organization or individual seeking or receiving access to Authority information assets or network and information systems for the purpose of carrying out a business transaction between the Authority and the user.

(1) These rules are intended to complement, and not supersede, access control or security requirements in the Authority’s Electronic Data Transmission rules, OAR 943-120-0100 to 943-120-0200, and whichever rule is more specific shall control.

(2) The confidentiality of specific information and the conditions for use and disclosure of specific information are governed by other laws and rules, including but not limited to the Authority’s rules for the privacy of protected information, OAR 943-014-0000 to 943-014-0070.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 182.122

Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12



For purpose of these rules, the following terms have definitions set forth below. All other terms not defined in this section shall have the meaning used in the Health Insurance Portability and Accountability Act (HIPAA) security rules found at 45 CFR § 164.304:

(1) “Access” means the ability or the means necessary to read, communicate, or otherwise use any Authority information asset.

(2) “Access Control Process” means Authority forms and processes used to authorize a user, identify their job assignment, and determine the required access.

(3) “Authority” means the Oregon Health Authority.

(4) “Client Records” means any client, applicant, or participant information regardless of the media or source, provided by the Authority to the user, or exchanged between the Authority and the user.

(5) “Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of any network and information system or Authority information asset including, but not limited to unauthorized disclosure of information; failure to protect user’s identification (ID) provided by the Authority; or, theft of computer equipment that uses or stores any Authority information asset.

(6) “Information Asset” means any information, also known as data, provided through the Authority, regardless of the source or media, which requires measures for security and privacy of the information.

(7) “Network and Information System” means the State of Oregon’s computer infrastructure, which provides personal communications, client records and other sensitive information assets, regional, wide area and local area networks, and the internetworking of various types of networks on behalf of the Authority.

(8) “User” means any individual authorized by the Authority to access a network and information system or information asset.

(9) “Organization” means any entity authorized by the Authority to access a network and information system or information asset.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 182.122

Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12


Information Access

The organization or user shall utilize the Authority access control process for all requested and approved access. The Authority shall notify the user of each approval or denial. When approved, the Authority shall provide the user with a unique login identifier to access the network and information system or information asset. The Authority may authorize the use of a generic login identifier.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 182.122

Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12


Security Information Assets

(1) No organization or user shall access an information asset for any purpose other than that specifically authorized by the Authority access control process.

(2) Except as specified or approved by the Authority, no organization or user shall alter, delete, or destroy any information asset.

(3) The organization shall prohibit unauthorized access by their staff, contractors, agents, or others to the network and information systems, or Authority information assets, and shall implement safeguards to prevent unauthorized access in accordance with section (4) of this rule.

(4) The organization shall develop a security risk management plan. The organization shall ensure that the plan includes, but is not limited to the following:

(a) Administrative, technical, and physical safeguards commonly found in the International Standards Organization 27002: 2005 security standard or National Institute of Standards and Technology (NIST) 800 Series;

(b) Standards established in accordance with HIPAA Security Rules, 45 CFR Parts 160 and 164, applicable to an organization or user regarding the security and privacy of a client record, any information asset, or network and information system;

(c) The organization’s privacy and security policies;

(d) Controls and safeguards that address the security of equipment and storage of any information asset accessed to prevent inadvertent destruction, disclosure, or loss;

(e) Controls and safeguards that ensure the security of an information asset, regardless of the media, as identified below:

(A) The user keeps Authority-assigned access control requirements such as identification of authorized users and access control information (passwords and personal identification numbers (PIN’s)), in a secure location until access is terminated;

(B) Upon request of the Authority, the organization makes available all information about the user’s use or application of the access controlled network and information system or information asset; and

(C) The organization or user ensures the proper handling, storage, and disposal of any information asset obtained or reproduced, and, when the authorized use of that information ends, is consistent with any applicable record retention requirements.

(f) Existing security plans developed to address other regulatory requirements, such as Sarbanes-Oxley Act of 2002 (PL 107-204), Title V of Gramm Leach Bliley Act of 1999, Statement on Auditing Standards (SAS) number 70, will be deemed acceptable as long as they address the above requirements.

(5) The Authority may request additional information related to the organization’s security measures.

(6) The organization or user must immediately notify the Authority when access is no longer required, and immediately cease access to or use of all information assets or network and information systems.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 182.122

Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12


User Responsibility

The organization or user shall not make any root level changes to any Authority or State of Oregon network and information system. The Authority recognizes that some application users have root level access to certain functions to allow the user to diagnose problems (such as startup or shutdown operations, disk layouts, user additions, deletions or modifications, or other operation) that require root privileges. This access does not give the user the right to make any changes normally restricted to root without explicit written permission from the Authority.

(1) Use and disclosure of any Authority information asset is strictly limited to the minimum information necessary to perform the requested and authorized service.

(2) The organization shall have established privacy and security measures that meet or exceed the standards set forth in the Authority privacy and information security policies, available from the Authority, regarding the disclosure of an information asset.

(3) The organization or user shall comply with all security and privacy federal and state laws, rules, and regulations applicable to the access granted.

(4) The organization shall make the security risk plan available to the Authority for review upon request.

(5) The organization or user shall report to the Authority all privacy or security incidents by the user that compromise, damage, or cause a loss of protection to the Authority information assets or the network and information systems. The incident report shall be made no later than five business days from the date on which the user becomes aware of such incident. The user shall provide the Authority a written report which must include the results of the incident assessment findings and resolution strategies.

(6) Wrongful use of a network and information system, or wrongful use or disclosure of an Authority information asset by the organization or user may cause the immediate suspension or revocation of any access granted, at the sole discretion of the Authority without advance notice.

(7) The organization or user shall comply with the Authority’s request for corrective action concerning a privacy or security incident and with laws requiring mitigation of harm caused by the unauthorized use or disclosure of confidential information, if any.

Stat. Auth.: ORS 413.042

Stats. Implemented: ORS 182.122

Hist.: OHA 16-2011(Temp), f. & cert. ef. 8-9-11 thru 2-2-12

1.) This online version of the OREGON BULLETIN is provided for convenience of reference and enhanced access. The official, record copy of this publication is contained in the original Administrative Orders and Rulemaking Notices filed with the Secretary of State, Archives Division. Discrepancies, if any, are satisfied in favor of the original versions. Use the OAR Revision Cumulative Index found in the Oregon Bulletin to access a numerical list of rulemaking actions after November 15, 2010.

2.) Copyright 2011 Oregon Secretary of State: Terms and Conditions of Use

Oregon State Archives • 800 Summer St. NE • Salem, OR 97310